Skip to main content

Gotenberg CVE-2026-35458

| EUVDEUVD-2026-19651 HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-04-07 GitHub_M GHSA-fmwg-qcqh-m992
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 07, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 15:00 euvd
EUVD-2026-19651
Analysis Generated
Apr 07, 2026 - 15:00 vuln.today
CVE Published
Apr 07, 2026 - 14:24 nvd
HIGH 8.7

DescriptionGitHub Advisory

Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.

AnalysisAI

Denial of service in Gotenberg API (≤8.29.1) allows unauthenticated remote attackers to indefinitely hang worker processes via malicious regular expression patterns. The vulnerability stems from missing timeout enforcement in the dlclark/regexp2 library when compiling user-supplied scope patterns, enabling catastrophic backtracking attacks (CWE-1333). With CVSS 4.0 score 8.7 and high availability impact (VA:H), this represents significant service disruption risk. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication (AV:N/PR:N).

Technical ContextAI

Gotenberg is a Docker-powered stateless API for converting various document formats (HTML, Markdown, Office documents) to PDF. The vulnerability resides in the regular expression handling layer where user-controlled scope patterns are compiled using the dlclark/regexp2 Go library without timeout constraints. CWE-1333 (Inefficient Regular Expression Complexity) describes this class of vulnerability as Regular Expression Denial of Service (ReDoS), where specially crafted input patterns cause exponential-time evaluation through catastrophic backtracking. When processing user requests containing malicious regex patterns, the regexp2 engine enters unbounded computation states, exhausting worker thread resources. The affected component (cpe:2.3:a:gotenberg:gotenberg) is typically deployed as a microservice in document processing pipelines, making availability disruption particularly impactful for dependent services.

RemediationAI

Upgrade to Gotenberg version 8.29.2 or later once released, monitoring the GitHub security advisory at https://github.com/gotenberg/gotenberg/security/advisories/GHSA-fmwg-qcqh-m992 for specific patch version confirmation. Until patched versions are deployed, implement network-level access controls to restrict API exposure to trusted clients only, reducing attack surface from unauthenticated internet sources. Consider rate limiting on endpoints accepting scope pattern parameters to mitigate resource exhaustion impact. Organizations unable to immediately upgrade should disable or restrict features utilizing user-supplied regular expression patterns if application architecture permits. Review application logs for unusual patterns of worker hangs or regex compilation delays that may indicate exploitation attempts. Subscribe to Gotenberg project notifications for release announcements and apply security updates promptly given the network-accessible attack vector.

Share

CVE-2026-35458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy